A report filed by UK publication The Register details a scary weakness in most Android handsets currently being sold. The aforementioned vulnerability would allow attackers to collect and use digital tokens stored on a handset after a user authenticates to a password protected service. “The weakness stems from the improper implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and earlier,” reads the report, quoting research from the University of Ulm. “After a user submits valid credentials for Google Calendar, Twitter, Facebook, or several other accounts, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts.” Google has issued a patch for the ClientLogin protocol with Android 2.3.4 and Android 3.0, but, as The Register points out, only 1% of Android devices are currently running the updated code. More →

In a filing with the Securities and Exchange Commission (SEC), information management company EMC admitted that an “extremely sophisticated” attack was in progress against its computer network. Specifically targeting the company’s security division, the intruders stole confidential data related to RSA’s SecurID products. EMC acquired RSA Security in the fourth quarter of 2006 for just under $2.1 billion. RSA SecurID provides a form of two-factor authentication that implements a second layer of network security to protect against outside threats and compromised passwords — the technology is used by governments, the military, financial institutions, hospitals, and businesses around the globe. RSA declined to comment on the nature of the attack, or provide information on exactly how much data was accessed by the network intruders. More →